MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Mofksys


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103
SHA3-384 hash: e91fddee45622a0cbc50e5219ce4b47d5cd50c5974fb5a6fd062dae3087285d366e06ce697e93f277f4a69db8e29c3ea
SHA1 hash: a358ce0a50163e318473222c7c38b765b0703de6
MD5 hash: fa7740f79a078b04046bf33656c2c430
humanhash: carolina-cat-thirteen-river
File name:svchost.exe
Download: download sample
Signature Worm.Mofksys
Create hunting rule
File size:68'759 bytes
First seen:2025-11-23 09:32:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep 1536:EgXsfgWQN1kYsRxWTg3PwSWe991Rdolpdz6JAkA5:1tWYfGATvPe9slp+Ap5
Threatray 7 similar samples on MalwareBazaar
TLSH T1ED63D0E5EC9910BFEC02ABB54570A5C9E1B190EADF1FE47DD79740A02628320E72774E
TrID 49.9% (.EXE) Win32 EXE PECompact compressed (v2.x) (59069/9/14)
35.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
1.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Hexastrike
Tags:exe Worm.Mofksys

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
IE IE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
No threats detected
Analysis date:
2025-11-23 21:59:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb073bf0-926a-4b1d-b03d-bc7d28a7d944

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41004/
Detection(s):
Win.Malware.Swisyn-6911468-0
Create hunting rule

Win.Malware.Swisyn-6911629-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt overlay packed packed packed pecompact visual_basic xpack
Link:
https://www.filescan.io/uploads/6922e60cf96b58f0dc80bbd7/reports/68fd84f8-44b2-497e-b959-fd85b9c48741/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-22T22:34:00Z UTC
Last seen:
2025-11-22T22:54:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/fa7740f79a078b04046bf33656c2c430
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2019-03-25 20:40:31 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 36 (86.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bms4xzhabliaff74lrgkoqk3wa5as32gy7hnqbb4v3bncnweebq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
04dbe372208d5592dc52209747519cbfc3a3fc0dddf62e44d6103579c3dcb76f
Worm.Mofksys
806fef1f890ebcf0749e98eaccae82d6b2f200147c7d7c6dad61f2c4675bc25b
Worm.Mofksys
b248184edd8902113f4791ab7d08c8acd8544c7aebb23661348a96e738d35170
Worm.Mofksys
c01b4d9246c5173746dc43fae6103017d141b15f0b87e1e879929404fa9bbf7a
Worm.Mofksys
error
Worm.Mofksys
f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103
Worm.Mofksys
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/251123-mqp2wsfj6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Modifies WinLogon for persistence
Modifies visibility of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Malware.Swisyn-6911468-0
YARA:
n/a
Link:
https://app.threat.zone/submission/191b7581-a7be-49df-9460-878bd203c5ea
Unpacked files
SH256 hash:
f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103
MD5 hash:
fa7740f79a078b04046bf33656c2c430
SHA1 hash:
a358ce0a50163e318473222c7c38b765b0703de6
Link:
https://www.unpac.me/results/a2dfd3b1-b8f4-4f8e-88b0-f8dbff338fbb/
SH256 hash:
5221cbbead94fc0c1d29ca29cd1116be980fad12834ead46b3f03877e7986fb2
MD5 hash:
968537b5cc4bc4e7cbec7640b8a7b753
SHA1 hash:
7819c78524e266552547b10a7a1afee367b30b4c
Detections:
win_mofksys_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2dfd3b1-b8f4-4f8e-88b0-f8dbff338fbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/f8592e5f2700568014bfe2e2653a0add81d04b7a363e76c021e5761689b62103

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pecompact2
Create hunting rule
Author:Kevin Falcoz
Description:PECompact
Rule name:PECompact2xxBitSumTechnologies
Create hunting rule
Author:malware-lu
Rule name:PECompactV2XBitsumTechnologies
Create hunting rule
Author:malware-lu
Rule name:PECompactv2xx
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security
Rule name:win_mofksys_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.mofksys.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41004/

Comments